key-exchange protocol allows two parties to establish a shared key over public network. Lacking of authentication the original Diffie–Hellman key exchange is insecure under man-in- -the-middle attack. Later the concept of authenticated key exchange protocol is proposed.In the family of authenticated DH protocols,there are two method of authentication, there are implicit authentication(example: the HMQV) and explicit authentication(example:SIGMA).Implicit authentication is more efficient , while explicit authentication often needs digital signature, so it's less efficient. when signing a message, a random number is used.

When implement a key-exchange protocol authenticated with digital signature, two parties($\hat{A}$ and $\hat{B}$) need to generate their public and private key pairs and ephemeral keys. To party $\hat{A}$, private key is $a$, public key is $A=g^a$($g$ is a generator of a cyclic group), and ephemeral key $x$. Both $x$ and $a$ are choose randomly from a set. The same with party $\hat{B}$($b,B,x$).

My doubt is that when the party $\hat{A}$ is going to sign a message, if he can use the random number he has generated such as the $a$ or $x$, while generate a new random number specify for the signature ? Are there any security threat ,if he uses $a$ or $x$ to sign a message ?

1 Answer
1

You should in general never use randomness from one cryptosystem in another cryptosystem. Bad things can happen.

Note that pseudo-randomness is good enough for cryptography, so generating new randomness is cheap.

Consider the specific example of using signed Diffie-Hellman with Schnorr signatures. Alice chooses a random number $r$, sends $g^r$, and later signs everything using by hashing $g^r$ and some other stuff to $e$ and then computing $z = r - ae$, where $a$ is her long-term secret signing key.

Now suppose the secret signing key is compromised at some point in the future. An adversary that paid attention recorded $g^r$ and the signature $(e,z)$. That adversary now knows $e$, $z$ and $a$, he recovers $r$ and can then recompute the shared Diffie-Hellman secret.

so your advice is never do that ? And are there any other threat if i do that ?
–
T.BSep 26 '13 at 14:17

But there are still some protocols that use the way i mentioned above like this
–
T.BSep 26 '13 at 14:25

To keep it short, +1 to what K.G. said. Many bad things can happen: when you tie more than one thing to the same number, compromise of one can lead to compromise of the others. Considering how easy it is nowadays to get a good random or pseudorandom number, the whole notion of re-using them is not worth discussing.
–
MouseMar 31 '14 at 2:57